@oxyhq/core 1.0.2 → 1.2.0

package/dist/cjs/AuthManager.js

@@ -10,6 +10,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthManager = void 0;
 exports.createAuthManager = createAuthManager;
+const asyncUtils_1 = require("./utils/asyncUtils");
 /**
  * Storage keys used by AuthManager.
  */
@@ -102,6 +103,7 @@ class AuthManager {
         this.listeners = new Set();
         this.currentUser = null;
         this.refreshTimer = null;
+        this.refreshPromise = null;
         this.oxyServices = oxyServices;
         this.config = {
             storage: config.storage ?? this.getDefaultStorage(),
@@ -202,27 +204,50 @@ class AuthManager {
         }
     }
     /**
-     * Refresh the access token.
+     * Refresh the access token. Deduplicates concurrent calls so only one
+     * refresh request is in-flight at a time.
      */
     async refreshToken() {
+        // If a refresh is already in-flight, return the same promise
+        if (this.refreshPromise) {
+            return this.refreshPromise;
+        }
+        this.refreshPromise = this._doRefreshToken();
+        try {
+            return await this.refreshPromise;
+        }
+        finally {
+            this.refreshPromise = null;
+        }
+    }
+    async _doRefreshToken() {
         const refreshToken = await this.storage.getItem(STORAGE_KEYS.REFRESH_TOKEN);
         if (!refreshToken) {
             return false;
         }
         try {
-            // Cast httpService to proper type (needed due to mixin composition)
-            const httpService = this.oxyServices.httpService;
-            const response = await httpService.request({
-                method: 'POST',
-                url: '/api/auth/refresh',
-                data: { refreshToken },
-                cache: false,
+            await (0, asyncUtils_1.retryAsync)(async () => {
+                const httpService = this.oxyServices.httpService;
+                const response = await httpService.request({
+                    method: 'POST',
+                    url: '/api/auth/refresh',
+                    data: { refreshToken },
+                    cache: false,
+                });
+                await this.handleAuthSuccess(response, 'credentials');
+            }, 2, // 2 retries = 3 total attempts
+            1000, // 1s base delay with exponential backoff + jitter
+            (error) => {
+                // Don't retry on 4xx client errors (invalid/revoked token)
+                const status = error?.status ?? error?.response?.status;
+                if (status && status >= 400 && status < 500)
+                    return false;
+                return true;
             });
-            await this.handleAuthSuccess(response, 'credentials');
             return true;
         }
         catch {
-            // Refresh failed, clear session and update state
+            // All retry attempts exhausted, clear session
             await this.clearSession();
             this.currentUser = null;
             this.notifyListeners();

package/dist/cjs/CrossDomainAuth.js

@@ -11,7 +11,7 @@
  *
  * Usage:
  * ```typescript
- * import { CrossDomainAuth } from '@oxyhq/services';
+ * import { CrossDomainAuth } from '@oxyhq/core';
  *
  * const auth = new CrossDomainAuth(oxyServices);
  *
@@ -238,7 +238,7 @@ exports.CrossDomainAuth = CrossDomainAuth;
  *
  * @example
  * ```typescript
- * import { createCrossDomainAuth } from '@oxyhq/services';
+ * import { createCrossDomainAuth } from '@oxyhq/core';
  *
  * const oxyServices = new OxyServices({ baseURL: 'https://api.oxy.so' });
  * const auth = createCrossDomainAuth(oxyServices);

package/dist/cjs/HttpService.js

@@ -19,6 +19,7 @@ const cache_1 = require("./utils/cache");
 const requestUtils_1 = require("./utils/requestUtils");
 const asyncUtils_1 = require("./utils/asyncUtils");
 const errorUtils_1 = require("./utils/errorUtils");
+const debugUtils_1 = require("./shared/utils/debugUtils");
 const jwt_decode_1 = require("jwt-decode");
 const platform_1 = require("./utils/platform");
 /**
@@ -84,6 +85,7 @@ class TokenStore {
  */
 class HttpService {
     constructor(config) {
+        this.tokenRefreshPromise = null;
         // Performance monitoring
         this.requestMetrics = {
             totalRequests: 0,
@@ -189,7 +191,7 @@ class HttpService {
                     headers['X-Native-App'] = 'true';
                 }
                 // Debug logging for CSRF issues
-                if (isStateChangingMethod && __DEV__) {
+                if (isStateChangingMethod && (0, debugUtils_1.isDev)()) {
                     console.log('[HttpService] CSRF Debug:', {
                         url,
                         method,
@@ -373,20 +375,20 @@ class HttpService {
         // Return cached token if available
         const cachedToken = this.tokenStore.getCsrfToken();
         if (cachedToken) {
-            if (__DEV__)
+            if ((0, debugUtils_1.isDev)())
                 console.log('[HttpService] Using cached CSRF token');
             return cachedToken;
         }
         // Deduplicate concurrent CSRF token fetches
         const existingPromise = this.tokenStore.getCsrfTokenFetchPromise();
         if (existingPromise) {
-            if (__DEV__)
+            if ((0, debugUtils_1.isDev)())
                 console.log('[HttpService] Waiting for existing CSRF fetch');
             return existingPromise;
         }
         const fetchPromise = (async () => {
             try {
-                if (__DEV__)
+                if ((0, debugUtils_1.isDev)())
                     console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/api/csrf-token`);
                 // Use AbortController for timeout (more compatible than AbortSignal.timeout)
                 const controller = new AbortController();
@@ -398,11 +400,11 @@ class HttpService {
                     signal: controller.signal,
                 });
                 clearTimeout(timeoutId);
-                if (__DEV__)
+                if ((0, debugUtils_1.isDev)())
                     console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
                 if (response.ok) {
                     const data = await response.json();
-                    if (__DEV__)
+                    if ((0, debugUtils_1.isDev)())
                         console.log('[HttpService] CSRF response data:', data);
                     const token = data.csrfToken || null;
                     this.tokenStore.setCsrfToken(token);
@@ -416,13 +418,13 @@ class HttpService {
                     this.logger.debug('CSRF token from header');
                     return headerToken;
                 }
-                if (__DEV__)
+                if ((0, debugUtils_1.isDev)())
                     console.log('[HttpService] CSRF fetch failed with status:', response.status);
                 this.logger.warn('Failed to fetch CSRF token:', response.status);
                 return null;
             }
             catch (error) {
-                if (__DEV__)
+                if ((0, debugUtils_1.isDev)())
                     console.log('[HttpService] CSRF fetch error:', error);
                 this.logger.warn('CSRF token fetch error:', error);
                 return null;
@@ -447,24 +449,17 @@ class HttpService {
             const currentTime = Math.floor(Date.now() / 1000);
             // If token expires in less than 60 seconds, refresh it
             if (decoded.exp && decoded.exp - currentTime < 60 && decoded.sessionId) {
+                // Deduplicate concurrent refresh attempts
+                if (!this.tokenRefreshPromise) {
+                    this.tokenRefreshPromise = this._refreshTokenFromSession(decoded.sessionId);
+                }
                 try {
-                    const refreshUrl = `${this.baseURL}/api/session/token/${decoded.sessionId}`;
-                    // Use AbortSignal.timeout for consistent timeout handling
-                    const response = await fetch(refreshUrl, {
-                        method: 'GET',
-                        headers: { 'Accept': 'application/json' },
-                        signal: AbortSignal.timeout(5000),
-                        credentials: 'include', // Include cookies for cross-origin requests
-                    });
-                    if (response.ok) {
-                        const { accessToken: newToken } = await response.json();
-                        this.tokenStore.setTokens(newToken);
-                        this.logger.debug('Token refreshed');
-                        return `Bearer ${newToken}`;
-                    }
+                    const result = await this.tokenRefreshPromise;
+                    if (result)
+                        return result;
                 }
-                catch (refreshError) {
-                    this.logger.warn('Token refresh failed, using current token');
+                finally {
+                    this.tokenRefreshPromise = null;
                 }
             }
             return `Bearer ${accessToken}`;
@@ -474,6 +469,27 @@ class HttpService {
             return `Bearer ${accessToken}`;
         }
     }
+    async _refreshTokenFromSession(sessionId) {
+        try {
+            const refreshUrl = `${this.baseURL}/api/session/token/${sessionId}`;
+            const response = await fetch(refreshUrl, {
+                method: 'GET',
+                headers: { 'Accept': 'application/json' },
+                signal: AbortSignal.timeout(5000),
+                credentials: 'include',
+            });
+            if (response.ok) {
+                const { accessToken: newToken } = await response.json();
+                this.tokenStore.setTokens(newToken);
+                this.logger.debug('Token refreshed');
+                return `Bearer ${newToken}`;
+            }
+        }
+        catch (refreshError) {
+            this.logger.warn('Token refresh failed, using current token');
+        }
+        return null;
+    }
     /**
      * Unwrap standardized API response format
      */

package/dist/cjs/OxyServices.base.js

@@ -15,6 +15,8 @@ const OxyServices_errors_1 = require("./OxyServices.errors");
  */
 class OxyServicesBase {
     constructor(...args) {
+        /** @internal */ this._cachedUserId = undefined;
+        /** @internal */ this._cachedAccessToken = null;
         const config = args[0];
         if (!config || typeof config !== 'object') {
             throw new Error('OxyConfig is required');
@@ -98,20 +100,31 @@ class OxyServicesBase {
      */
     clearTokens() {
         this.httpService.clearTokens();
+        this._cachedUserId = undefined;
+        this._cachedAccessToken = null;
     }
     /**
-     * Get the current user ID from the access token
+     * Get the current user ID from the access token.
+     * Caches the decoded value and invalidates when the token changes.
      */
     getCurrentUserId() {
         const accessToken = this.httpService.getAccessToken();
+        // Return cached value if token hasn't changed
+        if (accessToken === this._cachedAccessToken && this._cachedUserId !== undefined) {
+            return this._cachedUserId;
+        }
+        this._cachedAccessToken = accessToken;
         if (!accessToken) {
+            this._cachedUserId = null;
             return null;
         }
         try {
             const decoded = (0, jwt_decode_1.jwtDecode)(accessToken);
-            return decoded.userId || decoded.id || null;
+            this._cachedUserId = decoded.userId || decoded.id || null;
+            return this._cachedUserId;
         }
-        catch (error) {
+        catch {
+            this._cachedUserId = null;
             return null;
         }
     }

package/dist/cjs/crypto/keyManager.js

@@ -43,6 +43,7 @@ exports.KeyManager = void 0;
 const elliptic_1 = require("elliptic");
 const platform_1 = require("../utils/platform");
 const loggerUtils_1 = require("../utils/loggerUtils");
+const debugUtils_1 = require("../shared/utils/debugUtils");
 // Lazy imports for React Native specific modules
 let SecureStore = null;
 let ExpoCrypto = null;
@@ -77,7 +78,9 @@ const ANDROID_ACCOUNT_TYPE = 'com.oxy.account';
 async function initSecureStore() {
     if (!SecureStore) {
         try {
-            SecureStore = await Promise.resolve().then(() => __importStar(require('expo-secure-store')));
+            // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+            const moduleName = 'expo-secure-store';
+            SecureStore = await Promise.resolve(`${moduleName}`).then(s => __importStar(require(s)));
         }
         catch (error) {
             const errorMessage = error instanceof Error ? error.message : String(error);
@@ -110,7 +113,9 @@ function isWebPlatform() {
 }
 async function initExpoCrypto() {
     if (!ExpoCrypto) {
-        ExpoCrypto = await Promise.resolve().then(() => __importStar(require('expo-crypto')));
+        // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+        const moduleName = 'expo-crypto';
+        ExpoCrypto = await Promise.resolve(`${moduleName}`).then(s => __importStar(require(s)));
     }
     return ExpoCrypto;
 }
@@ -237,7 +242,7 @@ class KeyManager {
         // Update cache
         KeyManager.cachedSharedPublicKey = publicKey;
         KeyManager.cachedHasSharedIdentity = true;
-        if (__DEV__) {
+        if ((0, debugUtils_1.isDev)()) {
             loggerUtils_1.logger.debug('Shared identity created successfully', { component: 'KeyManager' });
         }
         return publicKey;
@@ -271,7 +276,7 @@ class KeyManager {
             return publicKey;
         }
         catch (error) {
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.warn('Failed to get shared public key', { component: 'KeyManager' }, error);
             }
             KeyManager.cachedSharedPublicKey = null;
@@ -304,7 +309,7 @@ class KeyManager {
             return privateKey;
         }
         catch (error) {
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.warn('Failed to get shared private key', { component: 'KeyManager' }, error);
             }
             return null;
@@ -331,7 +336,7 @@ class KeyManager {
             return hasShared;
         }
         catch (error) {
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.warn('Failed to check shared identity', { component: 'KeyManager' }, error);
             }
             KeyManager.cachedHasSharedIdentity = false;
@@ -374,7 +379,7 @@ class KeyManager {
         // Update cache
         KeyManager.cachedSharedPublicKey = publicKey;
         KeyManager.cachedHasSharedIdentity = true;
-        if (__DEV__) {
+        if ((0, debugUtils_1.isDev)()) {
             loggerUtils_1.logger.debug('Shared identity imported successfully', { component: 'KeyManager' });
         }
         return publicKey;
@@ -408,12 +413,12 @@ class KeyManager {
                 await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_ID, sessionId);
                 await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, accessToken);
             }
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.debug('Shared session stored successfully', { component: 'KeyManager' });
             }
         }
         catch (error) {
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.error('Failed to store shared session', error, { component: 'KeyManager' });
             }
             throw error;
@@ -453,7 +458,7 @@ class KeyManager {
             return { sessionId, accessToken };
         }
         catch (error) {
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.warn('Failed to get shared session', { component: 'KeyManager' }, error);
             }
             return null;
@@ -483,12 +488,12 @@ class KeyManager {
                 await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_ID);
                 await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN);
             }
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.debug('Shared session cleared successfully', { component: 'KeyManager' });
             }
         }
         catch (error) {
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.error('Failed to clear shared session', error, { component: 'KeyManager' });
             }
         }
@@ -510,7 +515,7 @@ class KeyManager {
             // Check if we already have a shared identity
             const hasShared = await KeyManager.hasSharedIdentity();
             if (hasShared) {
-                if (__DEV__) {
+                if ((0, debugUtils_1.isDev)()) {
                     loggerUtils_1.logger.debug('Shared identity already exists, skipping migration', { component: 'KeyManager' });
                 }
                 return true;
@@ -518,20 +523,20 @@ class KeyManager {
             // Get local identity
             const privateKey = await KeyManager.getPrivateKey();
             if (!privateKey) {
-                if (__DEV__) {
+                if ((0, debugUtils_1.isDev)()) {
                     loggerUtils_1.logger.debug('No local identity to migrate', { component: 'KeyManager' });
                 }
                 return false;
             }
             // Import to shared storage
             await KeyManager.importSharedIdentity(privateKey);
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.debug('Successfully migrated local identity to shared identity', { component: 'KeyManager' });
             }
             return true;
         }
         catch (error) {
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.error('Failed to migrate to shared identity', error, { component: 'KeyManager' });
             }
             return false;
@@ -591,7 +596,7 @@ class KeyManager {
         catch (error) {
             // If secure store is not available, return null (no identity)
             // This allows the app to continue functioning even if secure store fails to load
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
             }
             return null;
@@ -618,7 +623,7 @@ class KeyManager {
             // If secure store is not available, return null (no identity)
             // Cache null to avoid repeated failed attempts
             KeyManager.cachedPublicKey = null;
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
             }
             return null;
@@ -645,7 +650,7 @@ class KeyManager {
             // If we can't check, assume no identity (safer default)
             // Cache false to avoid repeated failed attempts
             KeyManager.cachedHasIdentity = false;
-            if (__DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.warn('Failed to check identity', { component: 'KeyManager' }, error);
             }
             return false;
@@ -678,12 +683,12 @@ class KeyManager {
         if (!skipBackup) {
             try {
                 const backupSuccess = await KeyManager.backupIdentity();
-                if (!backupSuccess && typeof __DEV__ !== 'undefined' && __DEV__) {
+                if (!backupSuccess && (0, debugUtils_1.isDev)()) {
                     loggerUtils_1.logger.warn('Failed to backup identity before deletion - proceeding anyway', { component: 'KeyManager' });
                 }
             }
             catch (backupError) {
-                if (typeof __DEV__ !== 'undefined' && __DEV__) {
+                if ((0, debugUtils_1.isDev)()) {
                     loggerUtils_1.logger.warn('Failed to backup identity before deletion', { component: 'KeyManager' }, backupError);
                 }
             }
@@ -728,7 +733,7 @@ class KeyManager {
             return true;
         }
         catch (error) {
-            if (typeof __DEV__ !== 'undefined' && __DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.error('Failed to backup identity', error, { component: 'KeyManager' });
             }
             return false;
@@ -768,7 +773,7 @@ class KeyManager {
             return true;
         }
         catch (error) {
-            if (typeof __DEV__ !== 'undefined' && __DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.error('Identity integrity check failed', error, { component: 'KeyManager' });
             }
             return false;
@@ -816,7 +821,7 @@ class KeyManager {
             return false;
         }
         catch (error) {
-            if (typeof __DEV__ !== 'undefined' && __DEV__) {
+            if ((0, debugUtils_1.isDev)()) {
                 loggerUtils_1.logger.error('Failed to restore identity from backup', error, { component: 'KeyManager' });
             }
             return false;

package/dist/cjs/crypto/polyfill.js

@@ -35,7 +35,12 @@ function getRandomBytesSync(byteCount) {
     if (!expoCryptoLoadAttempted) {
         expoCryptoLoadAttempted = true;
         try {
-            expoCryptoModule = require('expo-crypto');
+            // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
+            // crypto.getRandomValues exists natively so this code path is never reached.
+            if (typeof require !== 'undefined') {
+                const moduleName = 'expo-crypto';
+                expoCryptoModule = require(moduleName);
+            }
         }
         catch {
             // expo-crypto not available — expected in non-RN environments

package/dist/cjs/crypto/signatureService.js

@@ -62,7 +62,9 @@ function isNodeJS() {
  */
 async function initExpoCrypto() {
     if (!ExpoCrypto) {
-        ExpoCrypto = await Promise.resolve().then(() => __importStar(require('expo-crypto')));
+        // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+        const moduleName = 'expo-crypto';
+        ExpoCrypto = await Promise.resolve(`${moduleName}`).then(s => __importStar(require(s)));
     }
     return ExpoCrypto;
 }
@@ -70,25 +72,29 @@ async function initExpoCrypto() {
  * Compute SHA-256 hash of a string
  */
 async function sha256(message) {
-    // In React Native, always use expo-crypto
-    if (isReactNative() || !isNodeJS()) {
+    // In React Native, use expo-crypto
+    if (isReactNative()) {
         const Crypto = await initExpoCrypto();
         return Crypto.digestStringAsync(Crypto.CryptoDigestAlgorithm.SHA256, message);
     }
     // In Node.js, use Node's crypto module
-    // Use Function constructor to prevent Metro bundler from statically analyzing this require
-    // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
-    try {
-        // eslint-disable-next-line @typescript-eslint/no-implied-eval
-        const getCrypto = new Function('return require("crypto")');
-        const crypto = getCrypto();
-        return crypto.createHash('sha256').update(message).digest('hex');
-    }
-    catch (error) {
-        // Fallback to expo-crypto if Node crypto fails
-        const Crypto = await initExpoCrypto();
-        return Crypto.digestStringAsync(Crypto.CryptoDigestAlgorithm.SHA256, message);
+    if (isNodeJS()) {
+        try {
+            // eslint-disable-next-line @typescript-eslint/no-implied-eval
+            const getCrypto = new Function('return require("crypto")');
+            const nodeCrypto = getCrypto();
+            return nodeCrypto.createHash('sha256').update(message).digest('hex');
+        }
+        catch {
+            // Fall through to Web Crypto API
+        }
     }
+    // Browser: use Web Crypto API
+    const encoder = new TextEncoder();
+    const data = encoder.encode(message);
+    const hashBuffer = await globalThis.crypto.subtle.digest('SHA-256', data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
 }
 class SignatureService {
     /**
@@ -96,29 +102,32 @@ class SignatureService {
      * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
      */
     static async generateChallenge() {
-        if (isReactNative() || !isNodeJS()) {
-            // Use expo-crypto for React Native (expo-random is deprecated)
+        // In React Native, use expo-crypto
+        if (isReactNative()) {
             const Crypto = await initExpoCrypto();
             const randomBytes = await Crypto.getRandomBytesAsync(32);
             return Array.from(randomBytes)
                 .map((b) => b.toString(16).padStart(2, '0'))
                 .join('');
         }
-        // Node.js fallback
-        try {
-            // eslint-disable-next-line @typescript-eslint/no-implied-eval
-            const getCrypto = new Function('return require("crypto")');
-            const crypto = getCrypto();
-            return crypto.randomBytes(32).toString('hex');
-        }
-        catch (error) {
-            // Fallback to expo-crypto if Node crypto fails
-            const Crypto = await initExpoCrypto();
-            const randomBytes = await Crypto.getRandomBytesAsync(32);
-            return Array.from(randomBytes)
-                .map((b) => b.toString(16).padStart(2, '0'))
-                .join('');
+        // In Node.js, use Node's crypto module
+        if (isNodeJS()) {
+            try {
+                // eslint-disable-next-line @typescript-eslint/no-implied-eval
+                const getCrypto = new Function('return require("crypto")');
+                const nodeCrypto = getCrypto();
+                return nodeCrypto.randomBytes(32).toString('hex');
+            }
+            catch {
+                // Fall through to Web Crypto API
+            }
         }
+        // Browser: use Web Crypto API
+        const bytes = new Uint8Array(32);
+        globalThis.crypto.getRandomValues(bytes);
+        return Array.from(bytes)
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('');
     }
     /**
      * Hash a message using SHA-256